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(54) Data communication network 

(57) The invention relates to a data comnnunication 
network suitable for the exchange of data between conn- 
puters. which network comprises at least one substan- 
tially wireless LAN (Local Area Network) and access 
points distributed over an area of coverage for linking 



the computers comprised in the minimally one LAN. with 
the network. The minimally one wireless LAN is virtual 
and the data traffic with the computers belonging to that 
particular LAN is individualized by encoding the data ex- 
changed between the computers and the access points 
by using for each LAN a unique key. 
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Description 

[0001] The invention relates to a data communication 
network suitable for the exchange of data between com- 
puters, which network comprises at least one substan- 
tially wireless LAN (Local Area Network) and access 
points distributed over an area of coverage for linking 
the computers comprised in the minimally one LAN, with 
the network. 

[0002] Such a data communication network has been 
known in practice for years. The wireless local area net- 
work (LAN) comprised in such a data communication 
network is designed to provide a great degree of flexi- 
bility, mobility and to lower the otherwise necessary 
costs for infrastructure and control. Such a wireless LAN 
may include a laptop computer equipped for wireless 
communication. In order to provide the communication 
function, the network is equipped with so-called access 
points which are set up in the geographical area served 
by the wireless LAN. Usually an access point serves a 
small area called Cell, having a radius of between 1 0 an 
100 metres. Therefore, for serving a somewhat exten- 
sive area of coverage, the application of several access 
points is required. Among Lbennselves^ these access 
points are linked by means of network techniques which 
are known as such, and which may or may not be wired, 
such as for example, the ethernet infrastructure. 
[0003] The data communication network forming the 
object of the present invention, comprises at least one 
wireless local area network, and may otherwise be wired 
for linking with possibly further virtual local area net- 
works, for example, in accordance with the I EEE 802. 1 Q 
standard for virtual LANs or similarly, as known from 
W096/04734. When such a data communication net- 
work provides the possibility of applying several wire- 
less local area networks, a problem arises that is intrin- 
sic to the type of wireless communication. When com- 
puters from different local area networks operate in the 
same geographical area it is, in view of the fact that wire- 
less communication takes place via the ether, very dif- 
ficult to maintain the integrity of the data traffic in the 
respective local area networks according to the prior art. 
[0004] There are various solutions to this problem. On 
the one hand, the number of access points may be en- 
larged in concurrence with the number of local area net- 
works present in a certain area of coverage: however, 
this is very costly and with respect to the utilization of 
the available transmitter frequencies, very inefficient. 
Another solution is not to increase the number of access 
points, but to restrict the mobility of the computers in 
local area networks. However instead of solving a prob- 
lem it merely avoids a problem. Another possibility is to 
abandon the idea of the smaller local area networks and 
to equip the system as one integral network. This would 
indeed avoid the indicated problem, but would create 
problems relating to the security of the data traffic, and 
will produce an exponential increase of the control prob- 
lem. Accordingly, the performance of the system will de- 
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teriorate because data which is destined for a limited 
number of computers, will be sent to every-one, 
[0005] US 5.199.072 concerns wireless local area 
networks and means for restricting access within such 
5 networks. The wireless LAN according to this publica- 
tion utilizes a control module to control communication 
with user modules that are linked with such devices as 
terminals, personal computers and similar equipment. 
Access to the wireless LAN is controlled by the control 
w module and for each user module a unique identification 
number is employed, which information is stored in the 
memory of the control module. Prior to permitting net- 
work access the control module verifies the identifica- 
tion of the requesting user module. The users that are 
^5 active in a certain geographical area, form part of a 
group sharing the same control module and when the 
mobile users are roaming, a transfer of the user con- 
cerned from one user group to the next is required, ne- 
cessitating the assignment of a new password into the 
user module seeking access into the next user group. 
According to US 5. 1 99,072 a particular user is. however 
not able to roam from one area to the other whilst main- 
taining membership to one particular virtual LAN. 
[0006] ^ It is the object of the invention to proyide^a sys- 
tem in which the data communication network can be 
used whilst being able to encompass several wireless 
LANs, without unduly aggravating the control problem 
with respect to the data traffic in the system, and without 
requiring concessions with regard to the mobility of the 
various computer users who are part of a wireless LAN. 
[0007] According to the invention the data communi- 
cation network is therefore equipped such that the min- 
imally one wireless LAN is virtual and that the data traffic 
with the computers belonging to that particular LAN is 
individualized by encoding the data exchanged between 
the computers and the access points by using for each 
LAN a unique key. 

[0008] in one preferred embodiment therefore every 
computer is provided with its own unique key. In this 
manner point-to-point data links can be established be- 
tween the various computers wirelessly encompassed 
in the network and the access points. To this end, data 
encoding techniques may be applied that are generally 
known from the literature. The only prerequisite being, 
that the keys applied are capable of distinguishing the 
individual data links between the respective computers 
and the access points. By providing said keys, the re- 
spective access points can be equipped such that they 
recognize to which virtual LAN or virtual LANs they be- 
long and also, to which LAN the computers sending and/ 
or receiving data to and from said access points, belong. 
The various keys may be determined beforehand for 
each LAN. 

[0009] In one particular embodiment, however it is 
advantageous that the data communication network is 
equipped to generate the unique key the moment that 
data traffic between one or more computers from a LAN 
and the network is established. This is advantageous 
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with regard to controNability. 

[0010] One suitable embodinnent endowed with the 
necessary guarantees regarding authentication of the 
data traffic, is characterized in that the generation of the 
unique key occurs with the public-key algorithm, which 
is known as such: see W. Diffieand M.E. HeHnnan. "New 
Directions in Cryptography". IEEE Transactions on In- 
formation Theory, v.lT-22. n. 6. Nov 1976. pp. 644-654. 
[0011] Advantageously, the access points are among 
themselves linked to wired network connections that are 
known as such. However, this is not a prerequisite: the 
network connections may also be wireless. 
[0012] In order to restrict the load constituted by the 
data traffic in the data communication network accord- 
ing to the invention, it is desirable that every access 
point possesses a filter unit for deleting data destined 
for a computer belonging to a LAN other than the one 
present in the area of coverage of that particular access 
point, or which stems from a computer of a first LAN 
while being destined for a computer of a second LAN. 
In addition, this guarantees the virtual star structure of 
the network. 

[001 3] With a view to data traffic security it is desirable 
that the filter unit be equipped to delete from the data 
traffic predetermined types of data, for example, data 
that could be classified as infringing the security or in- 
tegrity of a network or a part thereof. This may be of 
particular importance with regard to data exchange in a 
WINDOWS-NT environment. 

[0014] To further serve the controllability of the sys- 
tem, every computer in a wireless LAN is provided with 
a device for rejecting messages sent by other comput- 
ers. This procedure effectively provides a star structure 
between the various access points and the computers 
communicating with said access points. 
[0015] It is further desirable that each computer be 
provided with one or more additional keys for encoding 
and decoding the data traffic destined for a group of 
computers, or for all computers in the same virtual LAN. 
In addition to the point-to-point data message commu- 
nication on an individual basis, the virtual LAN would 
then also provide the possibility of multipoint message 
communication and broadcast message communica- 
tion. 

[001 6] Application of the invention is possible by using 
the standard IEEE 802.11 technology for wireless local 
area networks. By applying the invention, the respective 
wireless virtual local area networks are distinguished 
and separated from each other, without the risk of data 
trafficarriving at any other than the intended destination. 
The invention enables the computer users within the 
various local area networks to move about freely within 
the area served by the various access points. 
[0017] The invention will now be further elucidated 
with reference to a single drawing which schematically 
shows the data communication network according to the 
invention. 

[0018] The data communication network shown is 



suitable for data exchange between computers, each of 
which is indicated by the term "station". The data com- 
munication network shown comprises, at least in the 
portion shown, two virtual local area networks indicated 

5 by VLAN 1 and VLAN 2. The virtual local area networks 
VLAN 1 and VLAN 2 are linked with the network via data 
traffic through the ether, taking place with the aid of an 
access point, indicated as such in the figure. According 
to the invention, the data traffic between such an access 

10 point and the computers "station" is encoded by means 
of a key code which, in the case illustrated, is unique for 
each computer, whereby an individualized link is provid- 
ed between each computer "station" and the respective 
access point. Another possibility is to apply such a 

'5 unique key code only per LAN. so that all computers of 
that particular LAN are able to participate in the data 
traffic. The unique key is. for example, determined for 
each LAN or computer beforehand. Another possibility 
is to postpone the determination of the unique key until 

20 the moment that data traffic between one or more com- 
puters from a LAN and the network is imminent. Gener- 
ation may then be effected by means of a public-key al- 
gorithm. Such public-key algorithms are known to the 
expert and require no further explanation. 

25 [0019] The figure shows further that the respective ac- 
cess points are interlinked by means of wired network 
links which are known as such, and called "wired back- 
bone". To make effective use of the data communication 
network without overloading by excessive data traffic, 

30 each access point is provided with a filter unit for delet- 
ing any data destined for a computer of LAN VLAN l or 
VLAN 2 respectively, other than the one present in the 
respective area of coverage (Cell A or Cell B) of that 
particular access point. The filter unit is also equipped 

35 to delete data sent from a first LAN and destined for a 
computer of a second LAN. The result is a logical sep- 
aration of the VLANs. Said filter unit can also delete spe- 
cific types of data. Furthermore, every computer "sta- 
tion" is equipped with an element for rejecting data sent 

•^0 by another computer "station". In this manner the data 
network acquires a star structure. 

[0020] Thanks to the virtual and wireless character of 
the local area networks applied in the network according 
to the invention, a computer station forming part of local 

•iS area network VLAN 2. may be moved from the one area 
of coverage Cell A to an area of coverage Cell B, served 
by another access point, without losing the integrity of 
a local area network. Thus the advantage of the inven- 
tion is that, despite the use of wireless computers "sta- 

50 tion" together with virtual local area networks, the ad- 
vantages associated with said latter technique, namely 
improved controllability of the data traffic in the data 
communication network is realized without conceding 
anything to the mobility of the computers used in the net- 

55 work. Thanks to the filter units provided in the various 
access points forming part of the network, the speed of 
the data traffic in this network, and the logical separation 
of the LANs is guaranteed. 
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Claims 



tined for a group of computers, or for all computers 
in the same virtual LAN. 



1. A data communication network suitable for the ex- 
change of data between computers, which network 
comprises at least one substantially wireless LAN 5 
(Local Area Network) and access points distributed 
over an area of coverage for linking the computers 
comprised in the minimally one LAN, with the net- 
work, characterized in that the minimally one wire- 
less LAN is virtual and that the data traffic with the io 
computers belonging to that particular LAN is indi- 
vidualized by encoding the data exchanged be- 
tween the computers and the access points by us- 
ing for each LAN a unique key. 



2. A data communication network according to claim 
1 , characterized in that every computer is provided 
with its own unique key. 

3. A data communication network according to claim 20 
1 or 2. characterized in that the data communica- 
tion network is equipped to generate the unique key 

the moment that data traffic between one or more 
computers from a LAN and the. network is estab- - - - 
tished. 25 

4. A data communication network according to claim 
3, characterized in that the generation of the 
unique key occurs with a public-key algorithm. 



5. A data communication network according to one of 
the claims 1-4. characterized in that among them- 
selves, the access points are linked by means of 
wired network links. 



6. A data communication network according to one of 
the claims 1-5, characterized in that every access 
point possesses a filter unit for deleting data des- 
tined for a computer belonging to a LAN other than 

the one present in the area of coverage of that par- 40 
ticular access point, or which stems from a compu- 
ter of a first LAN while being destined for a computer 
of a second LAN. 

7. A data communication network according to claim 
6, characterized in that the filter unit is equipped to 
delete from the data traffic predetermined types of 



8. A data communication network according to one of so 
the claims 1 -7, characterized in that every compu- 
ter in a wireless LAN is provided with a device for 
rejecting messages sent by other computers. 

9. A data communication network according to one of 55 
the preceding claims, characterized in that each 
computer is provided with one or more additional 
keys for encoding and decoding the data traffic des- 
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